If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

There have been already a series of email attacks in the last two months which have the earmarks of the two Russian state sponsored hacking teams that hacked into the three US State election databases and into the DNC.....there was this week an attack on an election database taking the data of all voters...millions of personal datasets...

Email attacks have been targeting journalists both independent...bloggers...and those working for MSM outlets..

We have seen similar attempts here in Germany in the same time frame in the last two months....

WHY do we know that it was and or is the two Russian state sponsored hacking teams?

If anyone has been in a SIGINT collection site you have what as known as 98Hs....H for Hogs....who monitor all morse code transmitters....and with morse code hand keyers...each and every hand had a different touch and feel on the key thus a "signature".

That is the same with these two hacking teams...when you are successful you tend to keep what works and discard what does not...and in the end it is the hand of the hacker that types on his keyboard and each hacker has their own style on the keys and has favorite commands....thus a "signature"....

And lately there is a reoccurring set of "signatures" that can be tracked...regardless of how well one hides on the darknet....footprints are always still present days later...

Comments reference the WL CIA data dump from yesterday attempting to tie CIA to the Russian DNC hack and support the Trump and company thesis of being attacked by the "Deep State"....

Tuesday, March 07, 2017
Some comments on the Wikileaks CIA/#vault7 leak

I thought I'd write up some notes about the Wikileaks CIA "#vault7" leak. This post will be updated frequently over the next 24 hours.

The CIA didn't remotely hack a TV. The docs are clear that they can update the software running on the TV using a USB drive. There's no evidence of them doing so remotely over the Internet. If you aren't afraid of the CIA breaking in an installing a listening device, then you should't be afraid of the CIA installing listening software.

The CIA didn't defeat Signal/WhattsApp encryption. The CIA has some exploits for Android/iPhone. If they can get on your phone, then of course they can record audio and screenshots. Technically, this bypasses/defeats encryption -- but such phrases used by Wikileaks arehighly misleading, since nothing related to Signal/WhatsApp is happening. What's happening is the CIA is bypassing/defeating the phone. Sometimes. If they've got an exploit for it, or can trick you into installing their software.

There's no overlap or turf war with the NSA. The NSA does "signals intelligence", so they hack radios and remotely across the Internet. The CIA does "humans intelligence", so they hack locally, with a human. The sort of thing they do is bribe, blackmail, or bedazzle some human "asset" (like a technician in a nuclear plant) to stick a USB drive into a slot. All the various military, law enforcement, and intelligence agencies have hacking groups to help them do their own missions.

The CIA isn't more advanced than the NSA. Most of this dump is child's play, simply malware/trojans cobbled together from bits found on the Internet. Sometimes they buy more advanced stuff from contractors, or get stuff shared from the NSA. Technologically, they are far#behind the NSA in sophistication and technical expertise.

The CIA isn't hoarding 0days. For one thing, few 0days were mentioned at all. The CIA's techniques rely upon straightforward hacking, not super secret 0day hacking Second of all, they aren't keeping 0days back in a vault somewhere -- if they have 0days, they are using them.

The VEP process is nonsense.#Activists keep mentioning the "vulnerability equities process", in which all those interested in 0days within the government has a say in what happens to them, with the eventual goal that they be disclosed to vendors. The VEP is nonsense. The activist argument is nonsense. As far as I can tell, the VEP is designed as busy work to keep people away from those who really use 0days, such as the NSA and the CIA. If they spend millions of dollars buying 0days because it has that value in intelligence operations, they aren't going to destroy that value by disclosing to a vendor. If VEP forces disclosure, disclosure still won't happen, the NSA will simply stop buying vulns.

There's no false flags. In several places, the CIA talks about making sure that what they do isn't so unique, so it can't be attributed to them. However, Wikileaks's press release hints that the "UMBRAGE" program is deliberately stealing techniques from Russia to use as a false-flag operation. This is nonsense. For example, the DNC hack attribution was live command-and-control servers simultaneously used against different Russian targets -- not a few snippets of code.

This hurts the CIA a lot. Already, one AV researcher has told me that a virus they once suspected came from the Russians or Chinese can now be attributed to the CIA, as it matches the description perfectly to something in the leak. We can develop anti-virus and intrusion-detection signatures based on this information that will defeat much of what we read in these documents. This would put a multi-year delay in the CIA's development efforts. Plus, it'll now go on a witch-hunt looking for the leaker, which will erode morale. Update:#Three extremely smart and knowledgeable people who I respect disagree, claiming it won't hurt the CIA a lot. I suppose I'm focusing on "hurting the cyber abilities" of the CIA, not the CIA as a whole, which mostly is non-cyber in function.

The CIA is not cutting edge.#A few days ago, Hak5 started selling "BashBunny", a USB hacking tool more advanced than the USB tools in the leak. The CIA seems to get most of their USB techniques from open-source projects, such Travis Goodpseeds "GoodFET" project.

The CIA isn't spying on us.#Snowden revealed how the NSA was surveilling all Americans. Nothing like that appears in the CIA dump. It's all legitimate spy stuff (assuming you think spying on foreign adversaries is legitimate).

Update #2: How is hacking cars and phones not SIGINT (which is the NSA's turf)?[*]#The answer is via physical access. For example, they might have a device that plugs into the ODBII port on the car that quickly updates the firmware of the brakes. Think of it as normal spy activity (e.g. cutting a victim's brakes), but now with cyber.

The presidential election victory of Donald Trump may not be the only thing made illegitimate by Russian tampering.# It seems that the GOP congressional majority may also be called into question thanks to our Russian friends (?).
According to the New York Times:
The impact of the information released by the hackers on candidates like Ms. Taddeo in Florida and others in nearly a dozen House races around the country was largely lost in the focus on the hacking attacks against the Democratic National Committee and Hillary Clinton’s presidential campaign. But this untold story underscores the effect the Russian operation had on the American electoral system.[…]
The intrusions in House races in states including Pennsylvania, New Hampshire, Ohio, Illinois, New Mexico and North Carolina can be traced to tens of thousands of pages of documents taken from the D.C.C.C., which shares a Capitol Hill office building with the Democratic National Committee.
“This is not a traditional ###-for-tat on a partisan political campaign, where one side hits the other and then you respond,” said Kelly Ward, executive director of the D.C.C.C. “This is an attack by a foreign actor that had the intent to disrupt our election, and we were the victims of it.”
The information gathered in this cyber attack was then fed to a Florida PAC supporting Paul Ryan, according to a Salon report:
After Florida Democratic House candidate Joe Garcia appeared at a primary debate against opponent Annette Taddeo with a printout of some of the hacked DCCC documents to attack Taddeo, the National Republican Campaign Committee and The Congressional Leadership Fund, a super PAC with close ties to House Speaker Paul Ryan, used the hacked documents to defeat him in the general.
And it appears many in Washington have known about the attacks for a while:
After Guccifer 2.0 targeted the chair of the DCCC, New Mexico’s Ray Lujan, the Democrats sent a letter to his Republican counterpart on Aug. 29 arguing that “the NRCC’s use of documents stolen by the Russians plays right into the hands of one of the United States’ most dangerous adversaries,” and if the National Republican Campaign Committee continued using the materials, the GOP “will be complicit in aiding the Russian government in its effort to influence American elections.”

WikiLeaks on Tuesday dropped one of its most explosive word bombs ever: A secret trove of documents apparently stolen from the U.S. Central Intelligence Agency (CIA) detailing methods of hacking everything from smart phones and TVs to compromising Internet routers and computers. KrebsOnSecurity is still digesting much of this fascinating data cache, but here are some first impressions based on what I’ve seen so far.
First, to quickly recap what happened: In a post on its site, WikiLeaks said the release — dubbed “Vault 7” — was the largest-ever publication of confidential documents on the agency. WikiLeaks is promising a series of these document#caches; this first one includes more than 8,700 files allegedly taken from a high-security network inside CIA’s Center for Cyber Intelligence in Langley, Va.

The home page for the CIA’s “Weeping Angel” project, which sought to exploit flaws that could turn certain 2013-model Samsung “smart” TVs into remote listening posts.
“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
Wikileaks said it was calling attention to the#CIA’s global covert hacking program, its malware arsenal and dozens of weaponized exploits against “a wide range of U.S. and European company products, includ[ing] Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”
The documents for the most part don’t appear to include the computer code needed to exploit previously unknown flaws in these products, although WikiLeaks says those exploits may show up in a future dump. This collection is probably best thought of as an internal corporate wiki used by multiple CIA researchers who methodically found and documented weaknesses in a variety of popular commercial and consumer electronics.
For example, the data dump lists a number of exploit “modules” available to compromise various models of consumer routers made by companies like Linksys, Microtik and Zyxel, to name a few.#CIA researchers also collated several pages worth of probing and testing weaknesses#in business-class devices#from Cisco,#whose powerful routers carry a decent portion of the Internet’s traffic on any given day.#Craig Dods, a researcher with Cisco’s rival Juniper, delves into greater detail on the Cisco bugs for anyone interested (Dods says he found no exploits for Juniper products in the cache, yet). Meanwhile, Cisco has published its own blog post on the matter.
WHILE MY SMART TV GENTLY WEEPS
Some of the exploits discussed in these leaked CIA documents appear to reference full-on, remote access vulnerabilities. However, a great many of the documents I’ve looked at seem to refer to attack concepts or half-finished exploits that may be limited by very specific requirements — such as physical access to the targeted device.
The “Weeping Angel” project’s page from 2014 is a prime example: It discusses ways to turn certain 2013-model Samsung “smart TVs” into remote listening devices; methods for disabling the LED lights that indicate the TV is on; and suggestions for fixing a problem with the exploit in which the WiFi interface on the TV is disabled when the exploit is run.
ToDo / Future Work:
Build a console cable
Turn on or leave WiFi turned on in Fake-Off mode
Parse unencrypted audio collection
Clean-up the file format of saved audio. Add encryption??
According to the documentation, Weeping Angel worked as long as the target hadn’t upgraded the firmware on the Samsung TVs. It also said the firmware upgrade eliminated the “current installation method,” which apparently required the insertion of a booby-trapped USB device into the TV.
Don’t get me wrong: This is a serious leak of fairly sensitive information. And I sincerely hope Wikileaks decides to work with researchers and vendors to coordinate the patching of flaws leveraged by the as-yet unreleased exploit code archive that apparently accompanies this documentation from the CIA.
But in reading the media coverage of this leak, one might be led to believe that even if you are among the small minority of Americans who have chosen to migrate more of their communications to privacy-enhancing technologies like Signal or WhatsApp, it’s all futility#because the CIA can break it anyway.
Perhaps a future cache of documents from this CIA division will change things on#this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these#tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.
As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”
By way of example, Bershidsky points to a tweet yesterday from Open Whisper Systems (the makers of the Signal private messaging app) which observes that, “The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.”
The company went on to say that because more online services are now using end-to-end encryption to prevent prying eyes from reading communications that are intercepted in-transit, intelligence agencies are being pushed “from undetectable mass surveillance to expensive, high-risk, targeted attacks.”

A tweet from Open Whisper Systems, the makers of the popular mobile privacy app Signal.
As limited as some of these exploits appear to be, the methodical approach of the countless CIA researchers who apparently collaborated to unearth these flaws is impressive and speaks to a key problem with most commercial hardware and software today: The vast majority of vendors#would rather spend the time and money marketing their products than embark on the costly, frustrating, time-consuming and continuous process of stress-testing their own products and working with a range of researchers to find these types of vulnerabilities before the CIA or other nation-state-level hackers can.
Of course, not every company has a budget of hundreds of millions of dollars just to do basic security research. According to#this NBC News report from October 2016, the CIA’s Center for Cyber Intelligence (the alleged source of the documents discussed in this story) has a staff of hundreds and a budget in the hundreds of millions: Documents#leaked by NSA whistleblower Edward Snowden indicate the CIA requested $685.4 million for computer network operations in 2013, compared to $1 billion by the U.S. National Security Agency (NSA).
TURNABOUT IS FAIR PLAY?
NBC also reported that the#CIA’s Center for Cyber Intelligence was tasked by the Obama administration last year to devise cyber attack strategies in response to Russia’s alleged involvement in the siphoning of emails from Democratic National Committee servers as well as from Hillary Clinton‘s campaign chief John Podesta. Those emails were ultimately published online by Wikileaks last summer.
the “wide-ranging ‘clandestine’ cyber operation designed to harass and ’embarrass’ the Kremlin leadership was being lead by the CIA’s Center for Cyber Intelligence.” Could this attack have been the Kremlin’s response to an action or actions by the CIA’s cyber center?
NBC reported that the “wide-ranging ‘clandestine’ cyber operation designed to harass and ’embarrass’ the Kremlin leadership was being lead by the CIA’s Center for Cyber Intelligence.” Could this attack have been the Kremlin’s response to an action or actions by the CIA’s cyber center? Perhaps time (or future leaks) will tell.
Speaking of the NSA, the Wikileaks dump comes hot on the heels of a similar disclosure by The Shadow Brokers, a hacking group that said it stole malicious software from the Equation Group, a highly-skilled and advanced threat actor that has been closely tied to the NSA.
What’s interesting is this Wikileaks cache includes a longish discussion thread among CIA employees who openly discuss where the NSA erred in allowing experts to tie the NSA’s coders to malware#produced by the Equation Group. As someone who spends a great deal of time unmasking cybercriminals who invariably leak their identity and/or location through poor operational security, I was utterly fascinated by#this exchange.
BUG BOUNTIES VS BUG STOCKPILES
Many are using this latest deluge from WikiLeaks to reopen the debate over whether there is enough oversight of the CIA’s hacking activities.#The New York Times called yesterday’s WikiLeaks disclosure “the latest coup for the antisecrecy organization and a serious blow to the CIA, which uses its hacking abilities to carry out espionage against foreign targets.”